This is going to branch into a bunch of separate questions.....here is some background for the question:

The Rijndael algorithm was crowned the new AES by Uncle Sam for sensitive, but unclassified info (128-256 key+block sizes through 10-14 rounds) . The Kerckhoff school of thought is "Let the algorithm be known, just keep the key secret". Uncle Sam doesn't agree.

I work in a military environment and I have 3 computers on my desk. One is NIPR (not secret), one is SIPR (Secret), and one is Centrix (Multinational Allies Secret).

Is the encryption that categorizes these systems hardware? Did it come with hardwired into my Dell laptops? Did they attain an Orange Book evaluation of A1 (verified design) or EAL7 from the Common Criteria?

OR....Is it just software/network connectivity based. So, when I baseline a computer and slap a green NIPR tag on it, or a red SIPR, it just means that they are "connected" to a safer network.

So is the encryption that surpassed the AES standards for computers labeled "Secret" applied at hardware, software, or network levels? If the answer could be put into an OSI layer method type of explanation, it would be cool.

This question is unlikely to help any future visitors; it is only relevant to a small geographic area, a specific moment in time, or an extraordinarily narrow situation that is not generally applicable to the worldwide audience of the internet. For help making this question more broadly applicable, visit the help center.
If this question can be reworded to fit the rules in the help center, please edit the question.

2

you may want to have them as separate questions, and also, for the majority of Military computers you would almost certainly want to be reading the usage manuals for your specific environment, as these are different between countries, divisions, departments, platforms etc
–
Rory Alsop♦May 4 '11 at 20:44

1

Can you clarify the question? You just want to know if outsiders happen to know what encryption algorithm is used on US military networks? My guess is that they use AES, and the security is mainly related to having a carefully isolated network. But folks who would really know for the classified systems likely shouldn't be talking about it here....
–
nealmcbMay 4 '11 at 22:25

5

You might not wanna discuss classified systems details on public (international!) forum, or identify yourself publicly as someone who has access to such. This is a total OPSEC fail! Unless you are a smart attacker trying to phish for data, in this case kudos for some creative/sneaky approach ;)
–
MarcinJun 3 '11 at 12:27

How about we keep this info off the web.
–
user4463Aug 23 '11 at 15:35

1

It's not necessarily the case that the "encryption surpassed AES" - it's just different (and secret). AES is thought to be secure. And just because you don't know the algorithm doesn't mean it wasn't designed with the assumption that attackers would know it. Kerckhoff doesn't say you have to actually tell anyone the algorithm, just that it should be secure in the face of an attacker that knows it.
–
Steve DispensaAug 23 '11 at 16:05

4 Answers
4

There are several ways to secure the systems you are questioning in a spectrum from just physical/logical isolation to multilevel security. Your set up is simply isolated networks with plain commercial systems as the user interface. The key in your secure facility is physical separation and some logical controls of network connections (as in your unclassified MAC address will not lash up to your classified network if your were to crawl under the desk and rewire). Bottom line is the hard drives are not encrypted by classification level. They are instead physically labeled and handled by controls related to the physical security of your facility (entry control, razor wire, MPs with guns, SSO, etc). That presents some issues (see Wikileaks) but the risk is considered cost effective. This allow commercial off the shelf (COTS) hardware to be used by the DoD and thus save money. Crypto is in play further down the wire away from your three desktops.

The three machines all have various application layer encryption related to services (for mail etc) but not provided to protect the classification level. There are also unencrypted packets coming into each machine. The encryption you are questioning is well documented and happens in the in the comms room converting the long haul traffic to normal (typically unencrypted) packets. The cable from the comms room to your machine sees unencrypted packets and application layer encrypted packets no matter the classification level of the desktop. That link is protected by physical security.
–
zedman9991May 6 '11 at 12:54

According to Wikipedia, the NSA has approved AES for "Top Secret" information.

You seem to think there is a single "crypto" thingy in the computer. It doesn't work that way. Each software application contains it's own crypto software. Some may choose to use the AES crypto in an OS API, or a hardware module (rare), or using it's own code (or library like OpenSSL). That's why every application needs to be validated that it does crypto correctly on a secure computer -- you can't simply validate the computer and just run anything on it.

The question iteslf is borderline sensitive/FOUO and shouldn't be discussed on this or any other forum. Green/Red/Purple stickers are on the desktops, the encryption methods for each network are not important as to how but rest assured they are safe.